mir/apparmor
2
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor synced 2025-08-22 18:17:09 +00:00
Code Issues Releases Wiki Activity

Update parser to allow for multiple debug dump options via -D or --dump.

Browse Source 
This will allow turning on and off various debug dumps as needed.
Multiple dump options can be specified as needed by using multiple
options.
  eg. apparmor_parser -D variables
      apparmor_parser -D dfa-tree -D dfa-simple-tree


The help option has also been updated to take an optional argument
to display help about give parameters, currently only dump is supported.

  eg.  apparmor_parser -h       # standard help
       apparmor_parser -h=dump  # dump info about --dump options

Also Enable the dfa expression tree dumps
This commit is contained in:
John Johansen 2010-01-07 16:21:02 -08:00
parent 2f9259a215
commit 17a67d7227
5 changed files with 73 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
parser/libapparmor_re/apparmor_re.h
View File

@ -15,6 +15,11 @@
extern "C" { extern "C" {
#endif #endif
typedef enum dfaflags {
DFA_DUMP_TREE = 1,
DFA_DUMP_SIMPLE_TREE = 2,
} dfaflags_t;
struct aare_ruleset; struct aare_ruleset;
typedef struct aare_ruleset aare_ruleset_t; typedef struct aare_ruleset aare_ruleset_t;
@ -25,7 +30,8 @@ int aare_add_rule(aare_ruleset_t *rules, char *rule, int deny,
uint32_t perms, uint32_t audit); uint32_t perms, uint32_t audit);
int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms, int aare_add_rule_vec(aare_ruleset_t *rules, int deny, uint32_t perms,
uint32_t audit, int count, char **rulev); uint32_t audit, int count, char **rulev);
void *aare_create_dfa(aare_ruleset_t *rules, int equiv_classes, size_t *size); void *aare_create_dfa(aare_ruleset_t *rules, int equiv_classes, size_t *size,
dfaflags_t flags);
void aare_reset_matchflags(void); void aare_reset_matchflags(void);
#ifdef __cplusplus #ifdef __cplusplus

19
parser/libapparmor_re/regexp.y
View File

@ -2214,20 +2214,25 @@ extern "C" int aare_add_rule_vec(aare_ruleset_t *rules, int deny,
* else NULL on failure * else NULL on failure
*/ */
extern "C" void *aare_create_dfa(aare_ruleset_t *rules, int equiv_classes, extern "C" void *aare_create_dfa(aare_ruleset_t *rules, int equiv_classes,
size_t *size) size_t *size, dfaflags_t flags)
{ {
char *buffer = NULL; char *buffer = NULL;
label_nodes(rules->root); label_nodes(rules->root);
#ifdef DEBUG_TREE if (flags & DFA_DUMP_TREE) {
cerr << "pre opt tree\n"; cerr << "\nDFA: Expression Tree\n";
rules->root->dump(cerr); rules->root->dump(cerr);
#endif cerr << "\n\n";
}
rules->root = simplify_tree(rules->root); rules->root = simplify_tree(rules->root);
#ifdef DEBUG_TREE
cerr << "post opt tree\n"; if (flags & DFA_DUMP_SIMPLE_TREE) {
cerr << "\nDFA: Simplified Expression Tree\n";
rules->root->dump(cerr); rules->root->dump(cerr);
#endif cerr << "\n\n";
}
DFA dfa(rules->root); DFA dfa(rules->root);
map<uchar, uchar> eq; map<uchar, uchar> eq;

1
parser/parser.h
View File

@ -168,6 +168,7 @@ struct var_string {
#define FLAG_CHANGEHAT_1_5 3 #define FLAG_CHANGEHAT_1_5 3
extern int flag_changehat_version; extern int flag_changehat_version;
extern int read_implies_exec; extern int read_implies_exec;
extern dfaflags_t dfaflags;
#ifdef DEBUG #ifdef DEBUG
#define PDEBUG(fmt, args...) printf("parser: " fmt, ## args) #define PDEBUG(fmt, args...) printf("parser: " fmt, ## args)

55
parser/parser_main.c
View File

@ -38,6 +38,7 @@
#include "parser.h" #include "parser.h"
#include "parser_version.h" #include "parser_version.h"
#include "parser_include.h" #include "parser_include.h"
#include "libapparmor_re/apparmor_re.h"
#define MODULE_NAME "apparmor" #define MODULE_NAME "apparmor"
#define OLD_MODULE_NAME "subdomain" #define OLD_MODULE_NAME "subdomain"
@ -62,6 +63,7 @@ int binary_input = 0;
int names_only = 0; int names_only = 0;
int dump_vars = 0; int dump_vars = 0;
int dump_expanded_vars = 0; int dump_expanded_vars = 0;
dfaflags_t dfaflags = 0;
int conf_verbose = 0; int conf_verbose = 0;
int conf_quiet = 0; int conf_quiet = 0;
int kernel_load = 1; int kernel_load = 1;
@ -93,16 +95,13 @@ struct option long_options[] = {
{"add", 0, 0, 'a'}, {"add", 0, 0, 'a'},
{"binary", 0, 0, 'B'}, {"binary", 0, 0, 'B'},
{"base", 1, 0, 'b'}, {"base", 1, 0, 'b'},
{"debug", 0, 0, 'd'},
{"subdomainfs", 0, 0, 'f'}, {"subdomainfs", 0, 0, 'f'},
{"help", 0, 0, 'h'}, {"help", 2, 0, 'h'},
{"replace", 0, 0, 'r'}, {"replace", 0, 0, 'r'},
{"reload", 0, 0, 'r'}, /* undocumented reload option == replace */ {"reload", 0, 0, 'r'}, /* undocumented reload option == replace */
{"version", 0, 0, 'V'}, {"version", 0, 0, 'V'},
{"complain", 0, 0, 'C'}, {"complain", 0, 0, 'C'},
{"Complain", 0, 0, 'C'}, /* Erk, apparently documented as --Complain */ {"Complain", 0, 0, 'C'}, /* Erk, apparently documented as --Complain */
{"dump-variables", 0, 0, 'D'},
{"dump-expanded-variables", 0, 0, 'E'},
{"Include", 1, 0, 'I'}, {"Include", 1, 0, 'I'},
{"remove", 0, 0, 'R'}, {"remove", 0, 0, 'R'},
{"names", 0, 0, 'N'}, {"names", 0, 0, 'N'},
@ -117,6 +116,9 @@ struct option long_options[] = {
{"skip-read-cache", 0, 0, 'T'}, {"skip-read-cache", 0, 0, 'T'},
{"write-cache", 0, 0, 'W'}, {"write-cache", 0, 0, 'W'},
{"show-cache", 0, 0, 'k'}, {"show-cache", 0, 0, 'k'},
{"debug", 0, 0, 'd'},
{"dump", 1, 0, 'D'},
{"Dump", 1, 0, 'D'},
{NULL, 0, 0, 0}, {NULL, 0, 0, 0},
}; };
@ -156,7 +158,22 @@ static void display_usage(char *command)
"-Q, --skip-kernel-load Do everything except loading into kernel\n" "-Q, --skip-kernel-load Do everything except loading into kernel\n"
"-V, --version Display version info and exit\n" "-V, --version Display version info and exit\n"
"-d, --debug Debug apparmor definitions\n" "-d, --debug Debug apparmor definitions\n"
"-h, --help Display this text and exit\n" "-D [n], --dump Dump internal info for debugging\n"
"-h [command], --help Display this text or info about command\n"
,command);
}
static void display_dump(char *command)
{
display_version();
printf("\n%s: --dump [Option]\n\n"
"Options:\n"
"--------\n"
"no option specified Dump variables\n"
"variables Dump variables\n"
"expanded-variables Dump expanded variables\n"
"dfa-tree Dump expression tree\n"
"dfa-simple-tree Dump simplified expression tree\n"
,command); ,command);
} }
@ -189,7 +206,7 @@ static int process_args(int argc, char *argv[])
int count = 0; int count = 0;
option = OPTION_ADD; option = OPTION_ADD;
while ((c = getopt_long(argc, argv, "adf:hrRVvI:b:BCDENSm:qQn:XKTWk", long_options, &o)) != -1) while ((c = getopt_long(argc, argv, "adf:h::rRVvI:b:BCD:NSm:qQn:XKTWk", long_options, &o)) != -1)
{ {
switch (c) { switch (c) {
case 0: case 0:
@ -205,7 +222,15 @@ static int process_args(int argc, char *argv[])
debug++; debug++;
break; break;
case 'h': case 'h':
if (!optarg) {
display_usage(progname); display_usage(progname);
} else if (strcmp(optarg, "dump") == 0) {
display_dump(progname);
} else {
PERROR("%s: Invalid --help option %s\n",
progname, optarg);
exit(1);
}
exit(0); exit(0);
break; break;
case 'r': case 'r':
@ -245,12 +270,22 @@ static int process_args(int argc, char *argv[])
subdomainbase = strndup(optarg, PATH_MAX); subdomainbase = strndup(optarg, PATH_MAX);
break; break;
case 'D': case 'D':
skip_cache = 1;
if (!optarg) {
dump_vars = 1; dump_vars = 1;
skip_cache = 1; } else if (strcmp(optarg, "variables") == 0) {
break; dump_vars = 1;
case 'E': } else if (strcmp(optarg, "expanded-variables") == 0) {
dump_expanded_vars = 1; dump_expanded_vars = 1;
skip_cache = 1; } else if (strcmp(optarg, "dfa-tree") == 0) {
dfaflags |= DFA_DUMP_TREE;
} else if (strcmp(optarg, "dfa-simple-tree") == 0) {
dfaflags |= DFA_DUMP_SIMPLE_TREE;
} else {
PERROR("%s: Invalid --Dump option %s\n",
progname, optarg);
exit(1);
}
break; break;
case 'm': case 'm':
match_string = strdup(optarg); match_string = strdup(optarg);

6
parser/parser_regex.c
View File

@ -523,7 +523,8 @@ static int process_profile_name_xmatch(struct codomain *cod)
aare_delete_ruleset(rule); aare_delete_ruleset(rule);
return FALSE; return FALSE;
} }
cod->xmatch = aare_create_dfa(rule, 0, &cod->xmatch_size); cod->xmatch = aare_create_dfa(rule, 0, &cod->xmatch_size,
dfaflags);
aare_delete_ruleset(rule); aare_delete_ruleset(rule);
if (!cod->xmatch) if (!cod->xmatch)
return FALSE; return FALSE;
@ -666,7 +667,8 @@ int process_regex(struct codomain *cod)
goto out; goto out;
if (regex_type == AARE_DFA && cod->dfarule_count > 0) { if (regex_type == AARE_DFA && cod->dfarule_count > 0) {
cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size); cod->dfa = aare_create_dfa(cod->dfarules, 0, &cod->dfa_size,
dfaflags);
aare_delete_ruleset(cod->dfarules); aare_delete_ruleset(cod->dfarules);
cod->dfarules = NULL; cod->dfarules = NULL;
if (!cod->dfa) if (!cod->dfa)